* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download CENT 305 Information Security
Airborne Networking wikipedia , lookup
Computer security wikipedia , lookup
TCP congestion control wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Computer network wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Multiprotocol Label Switching wikipedia , lookup
Internet protocol suite wikipedia , lookup
Network tap wikipedia , lookup
Wireless security wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Content-control software wikipedia , lookup
Proxy server wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Firewalls & VPNs Principles of Information Security Chapter 6 Part 1 References Circuit-level Gateways vs Application Gateways ◦ http://www.pcstats.com/articleview.cfm?articleid=1450&page=5 Introduction to Network Firewalls ◦ http://www.more.net/technical/netserv/tcpip/firewalls/ Firewalls Explained ◦ http://www.dmccormick.org/firewalls.htm Firewall Architectures ◦ http://docstore.mik.ua/orelly/networking/firewall/ch04_02.htm Introduction to Firewalls (on-line report) ◦ http://www2.hawaii.edu/~sdunan/ics623/Dunan.FirewallReport.html 2 Topic Objectives Describe categories of firewalls. Describe firewall architectures. Discuss considerations for selecting architectures 3 Firewalls Goal is to prevent specific types of information from moving between external networks and internal networks. In general, the arrangement of security devices placed at the perimeter of a computer network to guard the entry is collectively called a firewall, or firewall perimeter. At least one of those devices is a program or a hardware device called a firewall. So, this “wall” can be several devices, including firewall itself 4 Create an integrated security system firewall perimeter = firewall+ IDS + antivirus Also use access control and auditing Create many firewall perimeters, at strategic entry points Keep patching and updating them! 5 Categorizing Firewalls Processing mode ◦ Packet filtering, aka filtering (e.g. a router) ◦ Application gateways ◦ Circuit gateways ◦ MAC layer firewalls, ◦ hybrid Development Era (generation) ◦ Which level of technology is used Structure ◦ Commercial-grade, residential-grade Implementation ◦ Software, hardware, hybrid 6 Many different firewalls to pick from Basic personal use: ZoneAlarm, Norton Personal, Sygate More commercial: e.g Check Point Next Generation http://directory.google.com/Top/Computers/Sec urity/Firewalls/Products/ Many! Cisco firewall appliance (i.e. hardware firewall) http://tools.cisco.com/search/JSP/searchresults.get?strQueryText=pix+firewall&Search+All+cisco.com=cisco.com&l anguage=en&country=US&thissection=f&accessLevel=Guest&autosuggest= true http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.h tml Performance tables 7 Pros and Cons Type of firewall Pros Cons Software - freeware Easy and free minimal Software – commercial personal firewalls Simple, cheap, Not too many features, not robust Software – commercial enterprise firewalls Typically installed on a dedicated host; real time monitoring and other admin features $$$, not too easy to setup Hardware appliances Faster and more scalable than software firewalls $$$$$$, difficult to patch if bugs are discovered Hybrid firewall Provides throughput and security of appliance with features of a software firewall $$$$$$$$$$ 8 Packet Filtering Firewalls Examine packet headers ◦ Use Access Control Lists (ACLs) to examine and control packet flow based on source/destination IP addresses in the network ◦ Simple firewalls examine IP network layer headers source/destination IP address, protocol (udp, tcp), inbound or outbound traffic can reject (deny), discard, or forward packets ◦ 3 types of packet filtering firewalls static filtering - rules must be configured in advance dynamic filtering firewall can modify rules dynamically in response to traffic opens and closes doors to allow only specified packet wiht source, destination, and port to pass through the firewall stateful inspection – firewall keeps track of the state of connection and if the packet “makes sense” in the context. It can check incoming packets that are responses to internal requests. If it cannot figure it out, it checks ACL tables. 9 IP Packet Structure 10 Sample ACL table for a stateless packet filtering firewall Rule SourceIP Source DestIP port Dest port Action 1 any any 192.168.120.0 Above 1023 Allow 2 192.168.120.1 any any any Deny 3 any 192.168.120.1 any Deny 4 192.168.120.0 any any any Allow 5 any any 192.168.120.2 25 Allow 6 any any 192.168.120.3 80 Allow 7 any any any any deny any Discussion: how do we read such a table? (Look at the Review of TCP and Logic file) Discussion: what do these rules mean? Do you see why an IDS is necessary? 11 Stateful Inspection Firewalls Examine transport layer headers Track the state of transport layer connections using a state table. ◦ Able to track TCP and UDP source/destination ports and TCP flags in particular Dynamic stateful inspection firewalls ◦ Maintain dynamic state tables to modify filtering rules based on network events 12 TCP and UDP Packet Structure 13 Sample ACL table for a statefull packet filtering firewall SourceIP Source port DestIP Dest port Connection state 192.168.120.101 1037 209.233.19.22 80 Established 192.168.120.104 1022 165.66.28.22 80 Established 192.168.120.107 1010 65.66.122.101 25 Established 192.168.120.102 1035 212.33.19.4 79 Established 233.54.33.5 1899 192.168.120.101 80 Established 306.33.21.3 3558 192.168.120.101 80 Established Discussion: how do we read such a table? (Should we look at the Review of TCP and Logic file ?) Discussion: what do these lines mean? 15 Where do we put packet filters? Cloud, packet filter, proxy server, inside net Cloud, packet filter, DMZ, packet filter, inside net 16 Application Gateways AKA, application-level firewall, application firewall, or proxy server Frequently installed on a separate computer but used in conjunction with the filtering router Examines application layer information to determine service type, etc. Acts as a proxy for a service request ◦ Web server proxy receives requests for web pages, accesses the web server, and returns the pages to the client ◦ Able to store recently accessed pages in a local cache. May be referred to as cache servers. Frequently placed in an unsecured network location, or a DMZ network Can be used to route all internal traffic for web pages via the intermediate proxy server Still widely used for e-commerce, but DMZ networks becoming more commonly used. Can be slower than other types of firewalls. Designed for one or a few protocols; cannot be easily reconfigured. 17 Proxy Server (also called application gateway, or application-level firewall, or application firewall) E.g. web proxy receives traffic meant for/from the web server and then delivers them to/from the web server. The web server is protected by a firewall, in the figure above. There can be a packet-filter firewall in front of the proxy too. 18 Circuit Gateways AKA, circuit gateway firewall or circuit-level gateway Operates at transport layer Create tunnels connecting specific processes or systems and allow only authorized traffic in tunnels Only examines address and port information; does not examine application layer data. 19 MAC Layer & Hybrid Firewalls MAC Layer filtering ◦ Operates at Layer 2 and examines MAC addresses ◦ Typically included as a feature of packet filtering firewalls, or hardware firewalls. Hybrid Firewalls ◦ Contain components of different types of firewalls packet filtering + MAC layer filtering packet filtering + circuit gateway packet filtering + proxy server 20 Firewall Generations First Generation ◦ static packet filtering Second Generation ◦ Proxy servers or application-level firewalls Third Generation ◦ Stateful inspection firewalls Fourth Generation ◦ Dynamic packet filtering firewalls Fifth Generation ◦ kernel proxy - operates at multiple layers of the protocol stack ◦ Windows NTEXEC kernel ◦ Cisco Centri Firewall kernel 21 Firewall Structures Commercial-Grade Firewall Appliances ◦ standalone, self-contained hardware & software ◦ firmware-based instructions increase reliability and performance and reduce compromise ◦ rule sets stored in nonvolatile RAM Commercial-Grade Firewall Systems ◦ Application software running on general-purpose computers Small Office/Home Office-Grade (SOHO) Firewall Appliances ◦ Protection for always-on high speed Internet connections ◦ Support stateful inspection, MAC filtering, port forwarding and NAT ◦ May provide intrusion detection capability Residential-Grade Firewall Software ◦ Frequently available as free or inexpensive software packages that run on individual hosts. 22 SOHO Hardware vs Software Firewall Suggestion --- use BOTH ◦ Implements the strategy of defense in depth ◦ Hardware firewalls reduce/eliminate exposure of individual systems from scanning and probes Very likely to eliminate 100% of pre-attack probes May improve system performance by reducing unnecessary traffic on local network SOHO hardware firewalls are not especially expensive and well worth the investment ◦ Software firewalls provide an alternative, secondary firewall as a backup if someone breaks through the perimeter firewall. 23 Firewall Architectures 4 common implementations ◦ ◦ ◦ ◦ Packet Filtering Routers Screened Host Firewalls Dual-Home Host Firewalls Screened Subnet Firewalls (with DMZ) 24 Packet Filtering Routers Basic Border Firewall 25 Untrusted Host Exposed hosts outside border firewall Host is configured for minimal services Both incoming and outgoing traffic goes through the external host ◦ E.g., proxy server Internal hosts cannot trust the external host If all traffic routes through the untrusted host, it may also be a dual-homed host. 26 Screened Host Untrusted host on separate network and inside firewall Still untrusted by internal hosts Other untrusted hosts can be on same network Creates a public access network (e.g., web access) aka DMZ aka perimeter network, service network 27 Dual-Homed Host All traffic enters/leaves internal network via proxy server. Proxy server may or may not be the firewall. Not required to be the same device. 28 Screened Subnet Firewall Traffic between internal network and Internet traverses two firewalls and DMZ network Hosts in DMZ act as publically accessible servers Traffic entering inner firewally must originate from a host in the DMZ Internal firewalls provide protection between internal subnets 29 Firewall Configuration Advantages/Disadvantages Configuration Advantages Disadvantages Screening router Simple, cheap; stateful packet filter good for home use Min protection; viruses, trojans, etc might get through Dual-homed host Simple, cheap, can work well if configured well Single point of failure and entry, depends entirely on the host computer Screened host 2 layers of protection for home and small biz Single point of failure and entry, depends entirely on the host computer and the router that protects it Screened subnet DMZ Isolates public servers from the Servers in DMZ are highly vulnerable, must be internal LAN and thus protects them hardened Multiple DMZ/firewalls Layers of protection for a biz net $$$ SingleDMZ/two firewalls Balances heavy traffic load $$$ Branch offices/ multiple firewalls Each office is protected Each location has to be set up Reverse firewall Monitors internal users’ access to external nets Can slow down access to external nets (even parts of internal LAN) 30 SOCKS Servers SOCKS ◦ Protocol for handling TCP traffic through a proxy server. ◦ Proprietary, circuit-level proxy server. Uses special client-side SOCKS agents on each workstation. Filtering occurs in workstations, vice the proxy server. Each workstation must be managed as a firewall detection and protection device. ◦ May require extra support and management resources, since individual clients must also be managed. 31 SOCKS Server Note: depicts dual-homed host configuration with inner and outer firewalls. 32 Firewall Selection Factors to consider ◦ Which firewall design provides the desired protection? ◦ What type of firewall technology offers the right balance between protection and cost and meets the needs of the organization? ◦ What features are included? In the base price, as add-ons? Are all cost factors known? ◦ How easy is it to set up and configure? How accessible are knowledgeable staff to support the firewall? ◦ Can the proposed firewall adapt to projected network growth in the organization? 33